Skip to content

Commit 9792e2a

Browse files
marcusdacoregiomarcusdacoregio
committed
Use ServletContext in AuthorizationManagerWebInvocationPrivilegeEvaluator
Closes gh-10908
1 parent 44508df commit 9792e2a

File tree

2 files changed

+27
-4
lines changed

2 files changed

+27
-4
lines changed

web/src/main/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluator.java

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2021 the original author or authors.
2+
* Copyright 2002-2022 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -16,13 +16,15 @@
1616

1717
package org.springframework.security.web.access;
1818

19+
import javax.servlet.ServletContext;
1920
import javax.servlet.http.HttpServletRequest;
2021

2122
import org.springframework.security.authorization.AuthorizationDecision;
2223
import org.springframework.security.authorization.AuthorizationManager;
2324
import org.springframework.security.core.Authentication;
2425
import org.springframework.security.web.FilterInvocation;
2526
import org.springframework.util.Assert;
27+
import org.springframework.web.context.ServletContextAware;
2628

2729
/**
2830
* An implementation of {@link WebInvocationPrivilegeEvaluator} which delegates the checks
@@ -31,10 +33,13 @@
3133
* @author Marcus Da Coregio
3234
* @since 5.5.5
3335
*/
34-
public final class AuthorizationManagerWebInvocationPrivilegeEvaluator implements WebInvocationPrivilegeEvaluator {
36+
public final class AuthorizationManagerWebInvocationPrivilegeEvaluator
37+
implements WebInvocationPrivilegeEvaluator, ServletContextAware {
3538

3639
private final AuthorizationManager<HttpServletRequest> authorizationManager;
3740

41+
private ServletContext servletContext;
42+
3843
public AuthorizationManagerWebInvocationPrivilegeEvaluator(
3944
AuthorizationManager<HttpServletRequest> authorizationManager) {
4045
Assert.notNull(authorizationManager, "authorizationManager cannot be null");
@@ -48,10 +53,15 @@ public boolean isAllowed(String uri, Authentication authentication) {
4853

4954
@Override
5055
public boolean isAllowed(String contextPath, String uri, String method, Authentication authentication) {
51-
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method);
56+
FilterInvocation filterInvocation = new FilterInvocation(contextPath, uri, method, this.servletContext);
5257
AuthorizationDecision decision = this.authorizationManager.check(() -> authentication,
5358
filterInvocation.getHttpRequest());
5459
return decision == null || decision.isGranted();
5560
}
5661

62+
@Override
63+
public void setServletContext(ServletContext servletContext) {
64+
this.servletContext = servletContext;
65+
}
66+
5767
}

web/src/test/java/org/springframework/security/web/access/AuthorizationManagerWebInvocationPrivilegeEvaluatorTests.java

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2021 the original author or authors.
2+
* Copyright 2002-2022 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -16,14 +16,17 @@
1616

1717
package org.springframework.security.web.access;
1818

19+
import javax.servlet.ServletContext;
1920
import javax.servlet.http.HttpServletRequest;
2021

2122
import org.junit.Test;
2223
import org.junit.runner.RunWith;
24+
import org.mockito.ArgumentCaptor;
2325
import org.mockito.InjectMocks;
2426
import org.mockito.Mock;
2527
import org.mockito.junit.MockitoJUnitRunner;
2628

29+
import org.springframework.mock.web.MockServletContext;
2730
import org.springframework.security.authentication.TestAuthentication;
2831
import org.springframework.security.authorization.AuthorizationDecision;
2932
import org.springframework.security.authorization.AuthorizationManager;
@@ -72,4 +75,14 @@ public void isAllowedWhenAuthorizationManagerAbstainsThenAllowedTrue() {
7275
assertThat(allowed).isTrue();
7376
}
7477

78+
@Test
79+
public void isAllowedWhenServletContextExistsThenFilterInvocationHasServletContext() {
80+
ServletContext servletContext = new MockServletContext();
81+
this.privilegeEvaluator.setServletContext(servletContext);
82+
this.privilegeEvaluator.isAllowed("/test", TestAuthentication.authenticatedUser());
83+
ArgumentCaptor<HttpServletRequest> captor = ArgumentCaptor.forClass(HttpServletRequest.class);
84+
verify(this.authorizationManager).check(any(), captor.capture());
85+
assertThat(captor.getValue().getServletContext()).isSameAs(servletContext);
86+
}
87+
7588
}

0 commit comments

Comments
 (0)